Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi everyone! I have an Oathkeeper instance that uses a Kratos instance (also managed by me) as "cookie_session" authenticator handler.
I have two kind of identities schemas defined in Kratos: one for "admins" and another one for "users". How can I configured Oathkeeper so it has an access rule that only forwards requests for "admins" but deny access for "users"?

I think that for your case the ideal solution would be to implement a simple microservice with one endpoint that does the following steps
1. Calls `/sessions/whoami` endpoint
2. Checks session and returns 200 OK for admins (you can rely on schema id of session object)


You can use Keto when you need to have more permissions

:thinking_face: makes sense.. So Keto can provide this but it'd be overcomplicate things, right?

That said.. It could make sense to setup Keto if I plan to continue adding more rules right? E.g. I introduce a new identify schema for developers, and developers have intermediate permissions

Thanks for your help by the way <@U02U9MSKL9X>

For this particular case yes, Keto will overcomplicate things